How to Fix Invalid JSON Format Error When Uploading Govulncheck Report in DefectDojo 2.55.6

14 comments

· Sorted by Oldest

Valentijn S.
·
·
Can you share the exact error from the logs.
👀1
👌1

[01/Apr/2026 10:02:35] WARNING [dojo.importers.base_importer:179] Invalid JSON format
[01/Apr/2026 10:02:35] ERROR [dojo.engagement.views:984] An exception error occurred during the report import
Traceback (most recent call last):
  File "/app/dojo/tools/govulncheck/parser.py", line 74, in get_findings
    data = json.load(scan_file)
  File "/usr/local/lib/python3.13/json/__init__.py", line 298, in load
    return loads(fp.read(),
        cls=cls, object_hook=object_hook,
        parse_float=parse_float, parse_int=parse_int,
        parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
  File "/usr/local/lib/python3.13/json/__init__.py", line 352, in loads
    return _default_decoder.decode(s)
           ~~~~~~~~~~~~~~~~~~~~~~~^^^
  File "/usr/local/lib/python3.13/json/decoder.py", line 348, in decode
    raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 13 column 1 (char 289)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/dojo/importers/base_importer.py", line 177, in parse_findings_static_test_type
    return parser.get_findings(scan, self.test)
           ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/app/dojo/tools/govulncheck/parser.py", line 77, in get_findings
    raise ValueError(msg)
ValueError: Invalid JSON format

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/dojo/engagement/views.py", line 975, in import_findings
    context["test"], _, finding_count, closed_finding_count, _, _, _ = importer_client.process_scan(
                                                                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        context.pop("scan", None),
        ^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/app/dojo/importers/default_importer.py", line 113, in process_scan
    parsed_findings = self.parse_findings(scan, parser) or []
                      ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
  File "/app/dojo/importers/base_importer.py", line 282, in parse_findings
    parsed_findings = self.parse_findings_static_test_type(scan, parser)
  File "/app/dojo/importers/default_importer.py", line 417, in parse_findings_static_test_type
    return super().parse_findings_static_test_type(scan, parser)
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
  File "/app/dojo/importers/base_importer.py", line 180, in parse_findings_static_test_type
    raise ValidationError(e)
django.core.exceptions.ValidationError: ['Invalid JSON format']

Valentijn S.
·
·
Can you check if the report is a valid json file? The error seems to suggest it isn't.
Rajat R.
·
·
Yeah, The JSON file is invalid, But this was generated by govulncheck, Any idea about it. ?

Rajat R.

govulncheck -format json . > dependency-report.json

Rajat R.
·
·
If I generate any govulncheck report is returns the same thing. Does anyone know how to fix this ?? Valentijn S.

Rajat R.

I checked everywhere the govulncheck outputs Newline-Delimited JSON (NDJSON) — a stream of independent JSON objects, each on its own, separated by newlines. The objects come in this sequence:

{ "config": ... }          ← scanner metadata, one per run
{ "SBOM": ... }            ← all modules in go.mod with versions
{ "progress": ... }        ← status messages (can appear multiple times)
{ "osv": ... }             ← one per vulnerability CHECKED (entire vuln DB scan)
{ "osv": ... }             ← ...repeated for every CVE govulncheck evaluated
{ "osv": ... }
{ "progress": ... }
{ "finding": ... }         ← ONE per actual vulnerability found in YOUR code
{ "finding": ... }         ← (can have multiple findings per OSV if multiple call sites)

But the Defect Dojo requires a regular JSON which is why Defect Dojo fails to import govulncheck report.

Rajat R.
·
·
Valentijn S.
Valentijn S.
·
·
Can you create github issue with an example json file
Rajat R.
·
·
I will create a github issue but I currently do not have any sample JSON file. Valentijn S.
Valentijn S.
·
·
Fix: https://github.com/DefectDojo/django-DefectDojo/pull/14671
👌1
Rajat R.
·
·
Hello Valentijn S. , Thank you for the fix, I have a question regarding the fix. Currently when we upload all the vulnerabilities are set to info rather than picking the severity from the each vulnerability itself.
Rajat R.
·
·
we have to go personally into each link and update the severity. Rather than this it can take the severity from the file itself.
Valentijn S.
·
·
Can you please create a bug report with example file to reproduce

Valentijn S.
·
·
Can you share the exact error from the logs.
👀1
👌1

Rajat R.

[01/Apr/2026 10:02:35] WARNING [dojo.importers.base_importer:179] Invalid JSON format
[01/Apr/2026 10:02:35] ERROR [dojo.engagement.views:984] An exception error occurred during the report import
Traceback (most recent call last):
  File "/app/dojo/tools/govulncheck/parser.py", line 74, in get_findings
    data = json.load(scan_file)
  File "/usr/local/lib/python3.13/json/__init__.py", line 298, in load
    return loads(fp.read(),
        cls=cls, object_hook=object_hook,
        parse_float=parse_float, parse_int=parse_int,
        parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
  File "/usr/local/lib/python3.13/json/__init__.py", line 352, in loads
    return _default_decoder.decode(s)
           ~~~~~~~~~~~~~~~~~~~~~~~^^^
  File "/usr/local/lib/python3.13/json/decoder.py", line 348, in decode
    raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 13 column 1 (char 289)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/dojo/importers/base_importer.py", line 177, in parse_findings_static_test_type
    return parser.get_findings(scan, self.test)
           ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/app/dojo/tools/govulncheck/parser.py", line 77, in get_findings
    raise ValueError(msg)
ValueError: Invalid JSON format

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/dojo/engagement/views.py", line 975, in import_findings
    context["test"], _, finding_count, closed_finding_count, _, _, _ = importer_client.process_scan(
                                                                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        context.pop("scan", None),
        ^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/app/dojo/importers/default_importer.py", line 113, in process_scan
    parsed_findings = self.parse_findings(scan, parser) or []
                      ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
  File "/app/dojo/importers/base_importer.py", line 282, in parse_findings
    parsed_findings = self.parse_findings_static_test_type(scan, parser)
  File "/app/dojo/importers/default_importer.py", line 417, in parse_findings_static_test_type
    return super().parse_findings_static_test_type(scan, parser)
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
  File "/app/dojo/importers/base_importer.py", line 180, in parse_findings_static_test_type
    raise ValidationError(e)
django.core.exceptions.ValidationError: ['Invalid JSON format']

Valentijn S.
·
·
Can you check if the report is a valid json file? The error seems to suggest it isn't.
Rajat R.
·
·
Yeah, The JSON file is invalid, But this was generated by govulncheck, Any idea about it. ?

Rajat R.

govulncheck -format json . > dependency-report.json

Rajat R.
·
·
If I generate any govulncheck report is returns the same thing. Does anyone know how to fix this ?? Valentijn S.

Rajat R.

I checked everywhere the govulncheck outputs Newline-Delimited JSON (NDJSON) — a stream of independent JSON objects, each on its own, separated by newlines. The objects come in this sequence:

{ "config": ... }          ← scanner metadata, one per run
{ "SBOM": ... }            ← all modules in go.mod with versions
{ "progress": ... }        ← status messages (can appear multiple times)
{ "osv": ... }             ← one per vulnerability CHECKED (entire vuln DB scan)
{ "osv": ... }             ← ...repeated for every CVE govulncheck evaluated
{ "osv": ... }
{ "progress": ... }
{ "finding": ... }         ← ONE per actual vulnerability found in YOUR code
{ "finding": ... }         ← (can have multiple findings per OSV if multiple call sites)

But the Defect Dojo requires a regular JSON which is why Defect Dojo fails to import govulncheck report.

Rajat R.
·
·
Valentijn S.
Valentijn S.
·
·
Can you create github issue with an example json file
Rajat R.
·
·
I will create a github issue but I currently do not have any sample JSON file. Valentijn S.
Valentijn S.
·
·
Fix: https://github.com/DefectDojo/django-DefectDojo/pull/14671
👌1
Rajat R.
·
·
Hello Valentijn S. , Thank you for the fix, I have a question regarding the fix. Currently when we upload all the vulnerabilities are set to info rather than picking the severity from the each vulnerability itself.
Rajat R.
·
·
we have to go personally into each link and update the severity. Rather than this it can take the severity from the file itself.
Valentijn S.
·
·
Can you please create a bug report with example file to reproduce